In a registration form the user is asked for his e-mail address. The e-mail address will be validated for the correct format (e.g. at the least contains @) and I'm considering checking if it's already registered. Would this pose a security risk as it would allow attackers to verify e-mail addresses of users with accounts? If yes how can the threat be mitigated?

3 Answers
3

To avoid this kind of leak, you could also begin the registration process by asking for the e-mail. After entering it, you would send an e-mail with a link so that the user could continue with the registration process. If the e-mail was already registered, you would send an e-mail saying that.

That way, only the owner of the e-mail could register.

Drawbacks:

probably the real, common users will get bored by having so much steps to register.

in very few cases simple revealing that an e-mail is already registered in a site is a problem, specially because it's easy to register at any site providing any e-mail that you want. You'll just won't receive the e-mail to activate your account, but in general the site will link the account / username to that e-mail.

Using a username rather than an e-mail address is one method or use a combination of both for security sensitive stuff like password resets. This renders discovering a particular e-mail address exists less useful if both a username and e-mail are needed.

It isn't such a big deal to leak the fact a particular e-mail address exists in most cases unless privacy is a large concern in which case using usernames exclusively for uniqueness might be preferred. Alternately, you could allow the account to appear to be created, but send an e-mail to the e-mail address given stating that an account already exists.

I have seen more sites change the response to accounts having been created (notification), to something like: "If the account exists, an e-mail will be sent" versus: "there is no such account" (which allows someone registering to know whether or not an account already exists) If you are looking to stop "account enumeration," give OWASP a look: "Testing for User Enumeration and Guessable User Account"